Re: [fw-wiz] Security of HTTPS
From: Kevin Sheldrake (kev_at_electriccat.co.uk)
Date: 11/28/04
- Previous message: Shimon Silberschlag: "Re: [fw-wiz] Security of HTTPS"
- In reply to: Shimon Silberschlag: "Re: [fw-wiz] Security of HTTPS"
- Next in thread: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- Reply: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Shimon Silberschlag" <shimons@bll.co.il>, lordchariot@earthlink.net, firewall-wizards@honor.icsalabs.com Date: Sun, 28 Nov 2004 15:38:09 -0000
I'm not Erik (as you probably realised) but I believe the following can be
configured to do this:
* Checkpoint FW-1 NG
* Microsoft ISA Server
(I could be wrong; these examples relate to other people's infrastructure
and their description of it to me.)
I expect others do too, to enable content filtering at an organisational
boundary, re-encrypting with their own certificate upon success. If their
own certificate has been signed by a trusted party (CA) then the user will
be practically unaware of the decryption. One organisation IS Manager
pointed out to me that the firewall/server doesn't have to re-encrypt the
stream, allowing it to present the 'SSL' pages to the user over HTTP. He
configured his firewall/server to re-encrypt so as not to alarm the user
(lack of padlock in the browser)!
Without sounding cynical, I think these are excellent examples of SSL MITM
attacks, perpetrated by managers of 'third party' infrastructure, usually
without user awareness. The idea that SSL would provide end-to-end
encryption is laughable when this example is considered.
As I hinted above, I expect most enterprise firewalls offer this
functionality. My mention of the above products is by no way an
endorsement; they just happen to be two I have been informed of.
Kev
>> there are some products
>> out there that intentionally decrypt an SSL connection.
>
> Erik,
>
> Can you give a list of those products? I'm only familiar with Finjan's
> Vital security for SSL.
>
> Shimon Silberschlag
>
> +972-3-9351572
> +972-50-7207130
>
>
> ----- Original Message ----- From: <lordchariot@earthlink.net>
> To: <firewall-wizards@honor.icsalabs.com>
> Sent: Tuesday, November 23, 2004 18:00
> Subject: RE: [fw-wiz] Security of HTTPS
>
>
>>
>> I wouldn't necessarily call it a MITM attack, but there are some
>> products
>> out there that intentionally decrypt an SSL connection. These type of
>> products will take an SSL certificate as presented from the web site,
>> and
>> re-create a new one on-the-fly to present to the client browser. If the
>> product's CA cert is loaded into the client, there aren't any
>> certificate
>> warnings. If not, then most people click through the cert warning anyway
>> because they don't know any better.
>>
>> These products are generally used to perform AV scans or Ad-Popup
>> blocking
>> through an SSL connection. For example, an attachement coming in
>> through an
>> SSL webmail connection that needs to be virus scanned at the gateway.
>>
>> Erik
>>
>>
>>
>> -----Original Message-----
>> From: firewall-wizards-admin@honor.icsalabs.com
>> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Alex
>> Bihlmaier
>> Sent: Friday, November 19, 2004 6:07 AM
>> To: firewall-wizards@honor.icsalabs.com
>> Subject: [fw-wiz] Security of HTTPS
>>
>> Good Morning.
>>
>>
>>
>> I am curious how strong the security of https can be.
>> Is there some possibility of a MITM attack?
>> Are there any papers out there outlining this aspect of security?
>>
>>
>>
>> //thalunil
>>
>>
>>
>> ----------------------------------------------------------------
>> kallisti.de webmail access - email on the road
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@honor.icsalabs.com
>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@honor.icsalabs.com
>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Cheltenham) Ltd _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Shimon Silberschlag: "Re: [fw-wiz] Security of HTTPS"
- In reply to: Shimon Silberschlag: "Re: [fw-wiz] Security of HTTPS"
- Next in thread: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- Reply: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
